Advertisement

KASR: A Reliable and Practical Approach to Attack Surface Reduction of Commodity OS Kernels

  • Zhi ZhangEmail author
  • Yueqiang Cheng
  • Surya Nepal
  • Dongxi Liu
  • Qingni Shen
  • Fethi Rabhi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11050)

Abstract

Commodity OS kernels have broad attack surfaces due to the large code base and the numerous features such as device drivers. For a real-world use case (e.g., an Apache Server), many kernel services are unused and only a small amount of kernel code is used. Within the used code, a certain part is invoked only at runtime while the rest are executed at startup and/or shutdown phases in the kernel’s lifetime run. In this paper, we propose a reliable and practical system, named KASR, which transparently reduces attack surfaces of commodity OS kernels at runtime without requiring their source code. The KASR system, residing in a trusted hypervisor, achieves the attack surface reduction through a two-step approach: (1) reliably depriving unused code of executable permissions, and (2) transparently segmenting used code and selectively activating them. We implement a prototype of KASR on Xen-4.8.2 hypervisor and evaluate its security effectiveness on Linux kernel-4.4.0-87-generic. Our evaluation shows that KASR reduces the kernel attack surface by 64% and trims off 40% of CVE vulnerabilities. Besides, KASR successfully detects and blocks all 6 real-world kernel rootkits. We measure its performance overhead with three benchmark tools (i.e., SPECINT, httperf and bonnie++). The experimental results indicate that KASR imposes less than 1% performance overhead (compared to an unmodified Xen hypervisor) on all the benchmarks.

Keywords

Kernel attack surface reduction Reliable and practical systems Hardware-assisted virtualization 

References

  1. 1.
    Accetta, M., et al.: Mach: a new kernel foundation for UNIX development (1986)Google Scholar
  2. 2.
    AMD Inc.: Secure virtual machine architecture reference manual, December 2005Google Scholar
  3. 3.
  4. 4.
    Azab, A.M., Ning, P., Wang, Z., Jiang, X., Zhang, X., Skalsky, N.C.: HyperSentry: enabling stealthy in-context measurement of hypervisor integrity. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, pp. 38–49 (2010)Google Scholar
  5. 5.
  6. 6.
    Cheng, Y., Ding, X.: Guardian: hypervisor as security foothold for personal computers. In: Huth, M., Asokan, N., Čapkun, S., Flechais, I., Coles-Kemp, L. (eds.) Trust 2013. LNCS, vol. 7904, pp. 19–36. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-38908-5_2CrossRefGoogle Scholar
  7. 7.
    Colp, P., et al.: Breaking up is hard to do: security and functionality in a commodity hypervisor. In: Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, SOSP 2011, pp. 189–202. ACM (2011)Google Scholar
  8. 8.
    Cook, K.: Linux kernel ASLR (KASLR). In: Linux Security Summit (2013)Google Scholar
  9. 9.
    Dautenhahn, N., Kasampalis, T., Dietz, W., Criswell, J., Adve, V.: Nested kernel: an operating system architecture for intra-kernel privilege separation. In: Proceedings of the Twentieth International Conference on Architectural Support for Programming Languages and Operating Systems, ASPLOS 2015, pp. 191–206 (2015)Google Scholar
  10. 10.
    Gu, Z., Saltaformaggio, B., Zhang, X., Xu, D.: Face-change: application-driven dynamic kernel view switching in a virtual machine. In: 44th Annual IEEE/IFIP International Conference Dependable Systems and Networks (DSN), DSN 2014, pp. 491–502. IEEE (2014)Google Scholar
  11. 11.
    Herder, J.N., Bos, H., Gras, B., Homburg, P.: MINIX 3: a highly reliable, self-repairing operating system. ACM SIGOPS Oper. Syst. Rev. 40(3), 80–89 (2006)CrossRefGoogle Scholar
  12. 12.
    Herder, J.N., Bos, H., Gras, B., Homburg, P., Tanenbaum, A.S.: Construction of a highly dependable operating system. In: Proceedings of the 6th European Dependable Computing Conference, EDCC 2006, pp. 3–12. IEEE (2006)Google Scholar
  13. 13.
    Intel Inc.: Intel 64 and IA-32 architectures software developer’s manual combined volumes: 1, 2a, 2b, 2c, 3a, 3b and 3c, October 2011Google Scholar
  14. 14.
    Klein, G., et al.: seL4: formal verification of an operating-system kernel. Commun. ACM 53(6), 107–115 (2010)CrossRefGoogle Scholar
  15. 15.
    Kornblum, J.: Fuzzy hashing and ssdeep (2010)Google Scholar
  16. 16.
    Kurmus, A., Dechand, S., Kapitza, R.: Quantifiable run-time kernel attack surface reduction. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 212–234. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-08509-8_12CrossRefGoogle Scholar
  17. 17.
    Kurmus, A., Sorniotti, A., Kapitza, R.: Attack surface reduction for commodity OS kernels: trimmed garden plants may attract less bugs. In: Proceedings of the Fourth European Workshop on System Security. ACM (2011)Google Scholar
  18. 18.
    Kurmus, A., et al.: Attack surface metrics and automated compile-time OS kernel tailoring. In: Proceedings of the 20th Annual Network and Distributed System Security Symposium, NDSS 2013 (2013)Google Scholar
  19. 19.
    Li, Y., Dolan-Gavitt, B., Weber, S., Cappos, J.: Lock-in-Pop: securing privileged operating system kernels by keeping on the beaten path. In: USENIX Annual Technical Conference, pp. 1–13. USENIX Association (2017)Google Scholar
  20. 20.
    Madhavapeddy, A., et al.: Unikernels: library operating systems for the cloud. In: ACM SIGPLAN Notices, vol. 48, pp. 461–472. ACM (2013)Google Scholar
  21. 21.
    Mao, Y., Chen, H., Zhou, D., Wang, X., Zeldovich, N., Kaashoek, M.F.: Software fault isolation with API integrity and multi-principal modules. In: Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles, pp. 115–128. ACM (2011)Google Scholar
  22. 22.
    Michal, Z., Niels, H., Sebastian, R. (2010). https://code.google.com/archive/p/skipfish
  23. 23.
    Mosberger, D., Jin, T.: Httperf - a tool for measuring web server performance. SIGMETRICS Perform. Eval. Rev. 26(3), 31–37 (1998)CrossRefGoogle Scholar
  24. 24.
    Nguyen, A., Raj, H., Rayanchu, S., Saroiu, S., Wolman, A.: Delusional boot: securing hypervisors without massive re-engineering. In: Proceedings of the 7th ACM European Conference on Computer Systems, EuroSys 2012, pp. 141–154 (2012)Google Scholar
  25. 25.
    Riley, R., Jiang, X., Xu, D.: Guest-transparent prevention of kernel rootkits with VMM-based memory shadowing. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 1–20. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-87403-4_1CrossRefGoogle Scholar
  26. 26.
  27. 27.
    Seshadri, A., Luk, M., Qu, N., Perrig, A.: SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSES. In: ACM SIGOPS Operating Systems Review, vol. 41, pp. 335–350. ACM (2007)Google Scholar
  28. 28.
    Smalley, S., Vance, C., Salamon, W.: Implementing SELinux as a linux security module. NAI Labs Rep. 1(43), 139 (2001)Google Scholar
  29. 29.
    Standard Performance Evaluation Inc.: SPECint (2006). http://www.spec.org
  30. 30.
    Sullo, C. (2012). https://cirt.net/nikto
  31. 31.
    Swift, M.M., Martin, S., Levy, H.M., Eggers, S.J.: Nooks: an architecture for reliable device drivers. In: Proceedings of the 10th Workshop on ACM SIGOPS European Workshop, pp. 102–107. ACM (2002)Google Scholar
  32. 32.
    Szefer, J., Keller, E., Lee, R.B., Rexford, J.: Eliminating the hypervisor attack surface for a more secure cloud. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 401–412 (2011)Google Scholar
  33. 33.
    Tartler, R., et al.: Automatic OS kernel TCB reduction by leveraging compile-time configurability. In: Proceedings of the 8th Workshop on Hot Topics in System Dependability, p. 3 (2012)Google Scholar
  34. 34.
    Wang, Z., Jiang, X.: HyperSafe: a lightweight approach to provide lifetime hypervisor control-flow integrity. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP 2010, pp. 380–395 (2010)Google Scholar
  35. 35.
    Wang, Z., Wu, C., Grace, M., Jiang, X.: Isolating commodity hosted hypervisors with hyperlock. In: Proceedings of the 7th ACM European Conference on Computer Systems, EuroSys 2012, pp. 127–140 (2012)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Zhi Zhang
    • 1
    • 2
    Email author
  • Yueqiang Cheng
    • 3
  • Surya Nepal
    • 1
  • Dongxi Liu
    • 1
  • Qingni Shen
    • 4
  • Fethi Rabhi
    • 2
  1. 1.Data61CSIROSydneyAustralia
  2. 2.University of New South WalesSydneyAustralia
  3. 3.Baidu XLabSunnyvaleUSA
  4. 4.Peking UniversityBeijingChina

Personalised recommendations